Data Protection Day quiz

Q.1

A GP practice receives a subject access request from someone claiming to be a former patient. The name on the request matches a record held by the practice, but there is nothing else in the request to enable the practice to be confident that the requestor is the patient to whom the record relates. What should the practice do?

Respond to the request promptly so as to comply with the 40 calendar days cut off
Ask for more information, such as a date of birth or passport, before responding to the request
Reply stating that health records are not covered by subject access requests

Q.2

A group of police forces are co-operating with immigration officials to collect evidence about a number of individuals thought to be involved in people trafficking. This involves exchanging data about suspects’ whereabouts and activities. What should the police do?

Get consent from the individuals to share their personal data with other organisations
Provide the individuals with subject access to the data while they are conducting the investigation
Share the data without the individual’s consent

Q.3

An employer receives several applications for a job vacancy. How long should they keep the recruitment records for unsuccessful applicants?

For at least five years, if a similar vacancy arises they can contact the unsuccessful applicant
Not for longer than the statutory period in which a claim arising from the recruitment process may be brought
For a month after the recruitment process during which time a claim arising from the recruitment may be brought

Q.4

Which of the following is classed as personal data?

The value of a house when used to determine an individual liability for Council Tax, or used to determine the assets of an individual’s proceedings following divorce.
A photograph of people taken during New Year’s celebrations in a public place by a journalist for a photo library.
A case file containing information about an investigation made into incidents of fly tipping by one particular company.

Q.5

Company A provides an employment reference for one of its employees to company B. The employee makes a SAR to both companies. Which company would include the reference in its SAR information?

Company A
Company B
Both

Q.6

Local traffic wardens have started using body worn video (BWV) cameras as part of a pilot scheme and their uniforms incorporate signs warning people they could be filmed. When might it be appropriate for a traffic warden to use the camera?

All day
When a warden is issuing a ticket
When there is potential for aggressive behaviour

Q.7

A government department sets up a database of information about every child in the country. It does this in partnership with local councils. Each council provides personal data about children in its area, and is responsible for the accuracy of the data it provides. It may also access personal data provided by other councils (and must comply with the data protection principles when using that data). Who is the data controller for the personal data in the database?

The government department
The local councils for the personal data from their respective areas
The government department and the local councils jointly

Q.8

A fitness centre regularly mails a newsletter to its members. Some members have objected to this use of their personal data and the fitness centre has, quite properly, flagged this objection on their system. The fitness centre wants to ensure that these previously expressed wishes have not changed, particularly since the content of the newsletter has changed considerably over the last few months and it can also now be sent out as an email. How could they do this?

Send out the newsletter to everyone on the original list just in case they have changed their minds
Mention changes to the newsletter in ‘usual course of business’ contact with members such as membership renewal
Call all members directly to tell them the newsletter is now available via email

Q.9

As part of its security measures, an organisation ensures that information on laptop computers issued to staff is protected by encryption. Which of these would come under the information security section of the Data Protection Act?

That desktop computer screens in its offices are positioned so that they cannot be viewed by casual passers-by
Paper waste is collected in secure bins and is shredded on site at the end of each week
Both

Q.10

An organisation wishes to expand its online presence to include social media. The organisation develops a third party application to run within a social network platform. Who will be the data controller?

The organisation
The social network platform
Both